Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
The legal department is an increasingly important presence when it comes to making cybersecurity decisions in an enterprise. Security leaders need to know how to work with them effectively. To get the perspective of a leader in a legal department, we interviewed Joel Smith, Senior Vice President of Legal and General Counsel at Trustwave.
Joel: Ten years ago, an in-house legal team didn’t have a huge role in confronting cybersecurity risk with the exception of some large companies. But it’s been something the legal field has had to develop quickly in response to data protection laws that have become front of mind for many people and companies, changing the role of an in-house legal team when it comes to cybersecurity.
Joel: Our legal team interacts with the cybersecurity team fairly frequently to identify risk as it relates to two distinct areas.
Joel: It’s changing quite rapidly. Five to ten years ago, most laws and regulations mentioning cybersecurity would say something broad. You’d need to have “reasonable security practices” or have to comply with some basic standard. But we’re getting to the point where laws like California’s IoT Security Law, and the new government mandate, the Cybersecurity Maturity Model Certification (CMMC), are more prescriptive in nature.
They tell you more exactly what kind of measures you need to implement. Now if the legal team doesn’t have cybersecurity expertise, it can’t properly advise on the risk. How legal teams approach cybersecurity will continue to change as various states and even the federal government enact their own GDPR-style of laws.
Joel: How the roles of each department (cybersecurity and legal) shake out vary between any given company. Trustwave is interesting because cybersecurity is our product so there’s an overlap where the lawyers need to have a good understanding of cybersecurity just to negotiate contracts and assess vendors.
For example, we expect any law firms to maintain good security postures and we talk to our procurement teams to make sure that Trustwave vendors have security standards built into contracts.
Internally, legal departments rely on cybersecurity teams to keep the company’s data safe and help advise on various regulations. Our mutual goal is to avoid data breaches and regulatory issues. We must be aligned and educated in order to meet our customers’ expectations.
Joel: Essentially, they’re two sides of the same coin. Both are trying to prevent and mitigate risk. The Chief Legal Officer (CLO) or general counsel is focused on mitigating legal risk while the Chief Information Security Officer (CISO) is focused on mitigating cyber risk. Their knowledge of law and technology can be combined to de-risk the company from legal risk and intrusion. A CISO should have the technical security expertise to help guide and enable the CLO to give legal guidance relating to the company’s legal posture. The best case is the CLO and CISO have separate but overlapping expertise to confront the various risks posed by cyber threats.
Joel: There should be an open line of communications between the two, so we can respond to any level of risk and know how to protect ourselves from that risk as changes in laws and technologies arise.
Each department should also include each other in certain internal processes like when we negotiate contracts with customers and vendors. During these negotiations, many companies will have specific data use and security policies and we need to make sure our systems are compliant, at a minimum. The legal team relies on the information security team to assist in answering these questions.
Likewise, when a new vendor is considered, the security team asks “does this vendor have good security?” while the legal team asks “does this vendor follow GDPR, and all applicable data storage laws?”
These teams also collaborate when a company tracks and classifies the regulated data that flows through the company, like GDPR requires. A CISO should know where it’s stored, how it’s secured, who has access, and how it’s processed. The legal team should opine on how that complies with GDPR.
If a company is faced with some sort of breach or incident response, that’s when several departments - legal, corporate communications and public relations, and cybersecurity - need to work hand in hand to manage data risk, legal risk, and reputational risk. Those require a strong incident response system in place, hopefully setup in advance, where all those teams need to work together.
Finally, both the CISO and CLO should engage in an ongoing conversation regarding changes in laws, types of systems, and prioritize areas where the company could do more. Those are the kinds of scenarios where the two department heads would work pretty closely together.
Joel: In-house lawyers must have a basic understanding of security technology and practices to protect the company from cyber risk and legal risk. With that understanding you can have productive conversations with the cybersecurity team and design legal processes accordingly.
Joel: You should avoid any scenario where you position each other in a way that’s adversarial. The CLO and CISO are trying to answer the same questions and solve the same problems: How do we make our customers happy and how do we protect our company? The CISO does it via managing a technology and policy framework and the CLO from a legal framework.
Joel: Many lawyers tend to communicate with legal concepts and language and CISOs speak within a heavy security context. That’s a challenging bridge to cross. When you have a deep understanding of your own industry, it can be hard to have a productive conversation and reach an understanding. Resolving this requires both sides to thoroughly explain their perspective.
There’s inherent conflict at times as to who owns certain issues, especially as laws are becoming more prescriptive in terms of what’s required. A legal team may feel that the interpretation of certain laws is within its purview when it has been the CISO’s in the past. As cybersecurity and privacy regulations evolve, this is going to overlap more and more.
Joel: I find the legal department works best when it works as the advisor to the business and not the decision maker. We provide the guidance, what we think it means for the company, and what the potential issue is. If the CISO disagrees, but it’s risky enough, it gets escalated to the CEO or whoever the CISO reports to.
Like with any profession, there are lawyers who have huge egos and think it’s their call. In my opinion, it works better if lawyers act as subject matter advisors for the client making the final decision. If you follow that guiding principle, things will work better.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.